EU Changing Law on Cookie Usage

2012 is becoming the year of the permission based cookie.
The EU has been talking about it for years but plans to enforce it in 2012. The UK has set 26 May 2012 as its start date for compliance.  So if you are not already doing it then you need to start.
If your site places cookies on a computer then you have to ask permission first. Simple as that.  No more placing the cookie on the user’s computer unbeknownst to them and explaining in a privacy policy what it is all about. You have to ask first.
The regulations will apply to all types of cookies:  session and persistent, first and third party.  While no cookie is considered exempt however an exception is likely to apply to cookies  used solely to manage a customer’s shopping cart.  Cookies used to track customer’s footprints and remember a customer from visit to visit or identify them on other sites are not likely exceptions.
So what does this mean for eCommerce?  You need to obtain explicit permission for user tracking of their footprints and their purchases. So all that third party tracking you have installed for Google Analytics and other tracking services has to be done on a permission basis.
Permission requires that you:

  • tell people that the site is using cookies before you store any cookies i.e. when they land on your site
  • explain what each and every cookie is doing
  • obtain their (prior) consent to store these  cookies on their device.

How to gain consent?
It is unlikely at this time that consent can be implied in any way such as a browser setting. In the future this might change but for now it is not a reliable and therefore not an acceptable method of consent.
So consent is a direct question and answer. You can see how that might work on the UK Information Commission website.    One point to note is that if the user does not respond you cannot imply consent.
Does it apply to you? 
An organisation based in the UK is subject to the requirements of the Regulations even if their website is technically hosted overseas. Organisations based outside of Europe with websites designed for the European market, or providing products or services to customers in Europe, should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided.
Failure to comply can incur fines.
Does it apply to us?
Yes.  If we design websites for EU/UK usage then we also need to ensure that the website complies with the regulations.  You cannot tell us to not design for it.
What you should do

  1. make sure you have a privacy policy
  2. make sure your privacy identifies each and every cookie and what it is for
  3. make sure your privacy policy explains how to opt out now or in the future
  4. make sure your privacy policy is easy to find
  5. implement a permission process making sure you ask permission before storing cookies and you record their consent e.g. store a cookie saying they consented
  6. make sure you provide a  way to remove your (and only your) cookies if they decide to later opt out